From 5f1af8a69db4e4c08eb4552d75475e70e5a9e579 Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Wed, 20 Oct 2021 03:22:35 -0700 Subject: [PATCH] For IAM with etcd backend, avoid sending notifications (#13472) As we use etcd's watch interface, we do not need the network notifications as they are no-ops anyway. Bonus: Remove globalEtcdClient global usage in IAM --- cmd/admin-handlers-users.go | 80 ++++++++++++-------- cmd/admin-handlers_test.go | 2 +- cmd/auth-handler_test.go | 4 +- cmd/gateway-main.go | 2 +- cmd/iam-etcd-store.go | 4 +- cmd/iam.go | 134 +++++++++++++++------------------ cmd/server-main.go | 2 +- cmd/signature-v4-utils_test.go | 2 +- cmd/site-replication.go | 73 ++++++++++-------- cmd/sts-handlers.go | 30 +++++--- cmd/test-utils_test.go | 10 +-- 11 files changed, 183 insertions(+), 160 deletions(-) diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 866cecc4a..d47efeabb 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -242,10 +242,12 @@ func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Requ } // Notify all other MinIO peers to load group. - for _, nerr := range globalNotificationSys.LoadGroup(updReq.Group) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadGroup(updReq.Group) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } } @@ -334,10 +336,12 @@ func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request) } // Notify all other MinIO peers to reload user. - for _, nerr := range globalNotificationSys.LoadGroup(group) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadGroup(group) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } } @@ -369,10 +373,12 @@ func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request) } // Notify all other MinIO peers to reload user. - for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } } @@ -477,10 +483,12 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) { } // Notify all other Minio peers to reload user - for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadUser(accessKey, false) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } } @@ -623,10 +631,12 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque } // Notify all other Minio peers to reload user the service account - for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } @@ -762,10 +772,12 @@ func (a adminAPIHandlers) UpdateServiceAccount(w http.ResponseWriter, r *http.Re } // Notify all other Minio peers to reload user the service account - for _, nerr := range globalNotificationSys.LoadServiceAccount(accessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadServiceAccount(accessKey) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } @@ -1422,10 +1434,12 @@ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request } // Notify all other MinIO peers to reload policy - for _, nerr := range globalNotificationSys.LoadPolicy(policyName) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadPolicy(policyName) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } @@ -1475,10 +1489,12 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http } // Notify all other MinIO peers to reload policy - for _, nerr := range globalNotificationSys.LoadPolicyMapping(entityName, isGroup) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadPolicyMapping(entityName, isGroup) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } diff --git a/cmd/admin-handlers_test.go b/cmd/admin-handlers_test.go index 666df99c6..1410fb3d2 100644 --- a/cmd/admin-handlers_test.go +++ b/cmd/admin-handlers_test.go @@ -73,7 +73,7 @@ func prepareAdminErasureTestBed(ctx context.Context) (*adminErasureTestBed, erro initAllSubsystems(ctx, objLayer) - globalIAMSys.InitStore(objLayer) + globalIAMSys.InitStore(objLayer, globalEtcdClient) // Setup admin mgmt REST API handlers. adminRouter := mux.NewRouter() diff --git a/cmd/auth-handler_test.go b/cmd/auth-handler_test.go index 35478e40e..e1cb9227a 100644 --- a/cmd/auth-handler_test.go +++ b/cmd/auth-handler_test.go @@ -366,7 +366,7 @@ func TestIsReqAuthenticated(t *testing.T) { initAllSubsystems(context.Background(), objLayer) - globalIAMSys.InitStore(objLayer) + globalIAMSys.InitStore(objLayer, globalEtcdClient) creds, err := auth.CreateCredentials("myuser", "mypassword") if err != nil { @@ -457,7 +457,7 @@ func TestValidateAdminSignature(t *testing.T) { initAllSubsystems(context.Background(), objLayer) - globalIAMSys.InitStore(objLayer) + globalIAMSys.InitStore(objLayer, globalEtcdClient) creds, err := auth.CreateCredentials("admin", "mypassword") if err != nil { diff --git a/cmd/gateway-main.go b/cmd/gateway-main.go index 27ca23b2a..188bfc740 100644 --- a/cmd/gateway-main.go +++ b/cmd/gateway-main.go @@ -306,7 +306,7 @@ func StartGateway(ctx *cli.Context, gw Gateway) { logger.FatalIf(globalNotificationSys.Init(GlobalContext, buckets, newObject), "Unable to initialize notification system") } - go globalIAMSys.Init(GlobalContext, newObject) + go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient) if globalCacheConfig.Enabled { // initialize the new disk cache objects. diff --git a/cmd/iam-etcd-store.go b/cmd/iam-etcd-store.go index 77908df94..e5db91178 100644 --- a/cmd/iam-etcd-store.go +++ b/cmd/iam-etcd-store.go @@ -65,8 +65,8 @@ type IAMEtcdStore struct { client *etcd.Client } -func newIAMEtcdStore() *IAMEtcdStore { - return &IAMEtcdStore{client: globalEtcdClient} +func newIAMEtcdStore(client *etcd.Client) *IAMEtcdStore { + return &IAMEtcdStore{client: client} } func (ies *IAMEtcdStore) lock() { diff --git a/cmd/iam.go b/cmd/iam.go index 50576a4f8..3db497fb0 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -36,6 +36,7 @@ import ( "github.com/minio/minio/internal/auth" "github.com/minio/minio/internal/logger" iampolicy "github.com/minio/pkg/iam/policy" + etcd "go.etcd.io/etcd/client/v3" ) // UsersSysType - defines the type of users and groups system that is @@ -299,11 +300,6 @@ func (sys *IAMSys) LoadGroup(objAPI ObjectLayer, group string) error { return errServerNotInitialized } - if globalEtcdClient != nil { - // Watch APIs cover this case, so nothing to do. - return nil - } - sys.store.lock() defer sys.store.unlock() @@ -343,12 +339,7 @@ func (sys *IAMSys) LoadPolicy(objAPI ObjectLayer, policyName string) error { sys.store.lock() defer sys.store.unlock() - if globalEtcdClient == nil { - return sys.store.loadPolicyDoc(context.Background(), policyName, sys.iamPolicyDocsMap) - } - - // When etcd is set, we use watch APIs so this code is not needed. - return nil + return sys.store.loadPolicyDoc(context.Background(), policyName, sys.iamPolicyDocsMap) } // LoadPolicyMapping - loads the mapped policy for a user or group @@ -361,33 +352,30 @@ func (sys *IAMSys) LoadPolicyMapping(objAPI ObjectLayer, userOrGroup string, isG sys.store.lock() defer sys.store.unlock() - if globalEtcdClient == nil { - var err error - userType := regUser - if sys.usersSysType == LDAPUsersSysType { - userType = stsUser - } + var err error + userType := regUser + if sys.usersSysType == LDAPUsersSysType { + userType = stsUser + } + if isGroup { + err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, userType, isGroup, sys.iamGroupPolicyMap) + } else { + err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, userType, isGroup, sys.iamUserPolicyMap) + } + + if err == errNoSuchPolicy { if isGroup { - err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, userType, isGroup, sys.iamGroupPolicyMap) + delete(sys.iamGroupPolicyMap, userOrGroup) } else { - err = sys.store.loadMappedPolicy(context.Background(), userOrGroup, userType, isGroup, sys.iamUserPolicyMap) - } - - if err == errNoSuchPolicy { - if isGroup { - delete(sys.iamGroupPolicyMap, userOrGroup) - } else { - delete(sys.iamUserPolicyMap, userOrGroup) - } - } - // Ignore policy not mapped error - if err != nil && err != errNoSuchPolicy { - return err + delete(sys.iamUserPolicyMap, userOrGroup) } } - // When etcd is set, we use watch APIs so this code is not needed. - return nil + // Ignore policy not mapped error + if err == errNoSuchPolicy { + err = nil + } + return err } // LoadUser - reloads a specific user from backend disks or etcd. @@ -399,34 +387,34 @@ func (sys *IAMSys) LoadUser(objAPI ObjectLayer, accessKey string, userType IAMUs sys.store.lock() defer sys.store.unlock() - if globalEtcdClient == nil { - err := sys.store.loadUser(context.Background(), accessKey, userType, sys.iamUsersMap) - if err != nil { - return err - } - err = sys.store.loadMappedPolicy(context.Background(), accessKey, userType, false, sys.iamUserPolicyMap) - // Ignore policy not mapped error - if err != nil && err != errNoSuchPolicy { - return err - } - // We are on purpose not persisting the policy map for parent - // user, although this is a hack, it is a good enough hack - // at this point in time - we need to overhaul our OIDC - // usage with service accounts with a more cleaner implementation - // - // This mapping is necessary to ensure that valid credentials - // have necessary ParentUser present - this is mainly for only - // webIdentity based STS tokens. - cred, ok := sys.iamUsersMap[accessKey] - if ok { - if cred.IsTemp() && cred.ParentUser != "" && cred.ParentUser != globalActiveCred.AccessKey { - if _, ok := sys.iamUserPolicyMap[cred.ParentUser]; !ok { - sys.iamUserPolicyMap[cred.ParentUser] = sys.iamUserPolicyMap[accessKey] - } + err := sys.store.loadUser(context.Background(), accessKey, userType, sys.iamUsersMap) + if err != nil { + return err + } + err = sys.store.loadMappedPolicy(context.Background(), accessKey, userType, false, sys.iamUserPolicyMap) + // Ignore policy not mapped error + if err == errNoSuchPolicy { + err = nil + } + if err != nil { + return err + } + // We are on purpose not persisting the policy map for parent + // user, although this is a hack, it is a good enough hack + // at this point in time - we need to overhaul our OIDC + // usage with service accounts with a more cleaner implementation + // + // This mapping is necessary to ensure that valid credentials + // have necessary ParentUser present - this is mainly for only + // webIdentity based STS tokens. + cred, ok := sys.iamUsersMap[accessKey] + if ok { + if cred.IsTemp() && cred.ParentUser != "" && cred.ParentUser != globalActiveCred.AccessKey { + if _, ok := sys.iamUserPolicyMap[cred.ParentUser]; !ok { + sys.iamUserPolicyMap[cred.ParentUser] = sys.iamUserPolicyMap[accessKey] } } } - // When etcd is set, we use watch APIs so this code is not needed. return nil } @@ -439,14 +427,7 @@ func (sys *IAMSys) LoadServiceAccount(accessKey string) error { sys.store.lock() defer sys.store.unlock() - if globalEtcdClient == nil { - err := sys.store.loadUser(context.Background(), accessKey, svcUser, sys.iamUsersMap) - if err != nil { - return err - } - } - // When etcd is set, we use watch APIs so this code is not needed. - return nil + return sys.store.loadUser(context.Background(), accessKey, svcUser, sys.iamUsersMap) } // Perform IAM configuration migration. @@ -455,18 +436,18 @@ func (sys *IAMSys) doIAMConfigMigration(ctx context.Context) error { } // InitStore initializes IAM stores -func (sys *IAMSys) InitStore(objAPI ObjectLayer) { +func (sys *IAMSys) InitStore(objAPI ObjectLayer, etcdClient *etcd.Client) { sys.Lock() defer sys.Unlock() - if globalEtcdClient == nil { + if etcdClient == nil { if globalIsGateway { sys.store = &iamDummyStore{} } else { sys.store = newIAMObjectStore(objAPI) } } else { - sys.store = newIAMEtcdStore() + sys.store = newIAMEtcdStore(etcdClient) } if globalLDAPConfig.Enabled { @@ -584,9 +565,9 @@ func (sys *IAMSys) Load(ctx context.Context, store IAMStorageAPI) error { } // Init - initializes config system by reading entries from config/iam -func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer) { +func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etcd.Client) { // Initialize IAM store - sys.InitStore(objAPI) + sys.InitStore(objAPI, etcdClient) retryCtx, cancel := context.WithCancel(ctx) @@ -611,11 +592,11 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer) { continue } - if globalEtcdClient != nil { + if etcdClient != nil { // **** WARNING **** // Migrating to encrypted backend on etcd should happen before initialization of // IAM sub-system, make sure that we do not move the above codeblock elsewhere. - if err := migrateIAMConfigsEtcdToEncrypted(retryCtx, globalEtcdClient); err != nil { + if err := migrateIAMConfigsEtcdToEncrypted(retryCtx, etcdClient); err != nil { txnLk.Unlock(lkctx.Cancel) if errors.Is(err, errEtcdUnreachable) { logger.Info("Connection to etcd timed out. Retrying..") @@ -685,6 +666,13 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer) { go sys.watch(ctx) } +// HasWatcher - returns if the IAM system has a watcher to be notified of +// changes. +func (sys *IAMSys) HasWatcher() bool { + _, ok := sys.store.(iamStorageWatcher) + return ok +} + func (sys *IAMSys) watch(ctx context.Context) { watcher, ok := sys.store.(iamStorageWatcher) if ok { diff --git a/cmd/server-main.go b/cmd/server-main.go index 0aade162e..d2d8075e5 100644 --- a/cmd/server-main.go +++ b/cmd/server-main.go @@ -570,7 +570,7 @@ func serverMain(ctx *cli.Context) { } // Initialize users credentials and policies in background right after config has initialized. - go globalIAMSys.Init(GlobalContext, newObject) + go globalIAMSys.Init(GlobalContext, newObject, globalEtcdClient) initDataScanner(GlobalContext, newObject) diff --git a/cmd/signature-v4-utils_test.go b/cmd/signature-v4-utils_test.go index 80000c2aa..998505a43 100644 --- a/cmd/signature-v4-utils_test.go +++ b/cmd/signature-v4-utils_test.go @@ -42,7 +42,7 @@ func TestCheckValid(t *testing.T) { initAllSubsystems(context.Background(), objLayer) - globalIAMSys.InitStore(objLayer) + globalIAMSys.InitStore(objLayer, globalEtcdClient) req, err := newTestRequest(http.MethodGet, "http://example.com:9000/bucket/object", 0, nil) if err != nil { diff --git a/cmd/site-replication.go b/cmd/site-replication.go index b38eb7965..a2efe2364 100644 --- a/cmd/site-replication.go +++ b/cmd/site-replication.go @@ -380,10 +380,12 @@ func (c *SiteReplicationSys) AddPeerClusters(ctx context.Context, sites []madmin } // Notify all other Minio peers to reload user the service account - for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } @@ -489,10 +491,12 @@ func (c *SiteReplicationSys) InternalJoinReq(ctx context.Context, arg madmin.SRI } // Notify all other Minio peers to reload the service account - for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadServiceAccount(svcCred.AccessKey) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } @@ -961,11 +965,13 @@ func (c *SiteReplicationSys) PeerAddPolicyHandler(ctx context.Context, policyNam } if p != nil { - // Notify all other MinIO peers to reload policy - for _, nerr := range globalNotificationSys.LoadPolicy(policyName) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + // Notify all other MinIO peers to reload policy + for _, nerr := range globalNotificationSys.LoadPolicy(policyName) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } return nil @@ -1006,10 +1012,12 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change } // Notify all other Minio peers to reload the service account - for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadServiceAccount(newCred.AccessKey) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } case change.Update != nil: @@ -1033,10 +1041,12 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change } // Notify all other Minio peers to reload the service account - for _, nerr := range globalNotificationSys.LoadServiceAccount(change.Update.AccessKey) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadServiceAccount(change.Update.AccessKey) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } @@ -1066,13 +1076,14 @@ func (c *SiteReplicationSys) PeerPolicyMappingHandler(ctx context.Context, mappi } // Notify all other MinIO peers to reload policy - for _, nerr := range globalNotificationSys.LoadPolicyMapping(mapping.UserOrGroup, mapping.IsGroup) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadPolicyMapping(mapping.UserOrGroup, mapping.IsGroup) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } - return nil } @@ -1119,10 +1130,12 @@ func (c *SiteReplicationSys) PeerSTSAccHandler(ctx context.Context, stsCred madm } // Notify in-cluster peers to reload temp users. - for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index ecc6135fb..3b6f3a1be 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -277,10 +277,12 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) { } // Notify all other MinIO peers to reload temp users - for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } @@ -481,10 +483,12 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ } // Notify all other MinIO peers to reload temp users - for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } @@ -645,10 +649,12 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r * } // Notify all other MinIO peers to reload temp users - for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { - if nerr.Err != nil { - logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) - logger.LogIf(ctx, nerr.Err) + if !globalIAMSys.HasWatcher() { + for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) { + if nerr.Err != nil { + logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String()) + logger.LogIf(ctx, nerr.Err) + } } } diff --git a/cmd/test-utils_test.go b/cmd/test-utils_test.go index f7ceaefa9..7c0bb2795 100644 --- a/cmd/test-utils_test.go +++ b/cmd/test-utils_test.go @@ -350,7 +350,7 @@ func UnstartedTestServer(t TestErrHandler, instanceType string) TestServer { initAllSubsystems(ctx, objLayer) - globalIAMSys.InitStore(objLayer) + globalIAMSys.InitStore(objLayer, globalEtcdClient) return testServer } @@ -1470,7 +1470,7 @@ func newTestObjectLayer(ctx context.Context, endpointServerPools EndpointServerP initAllSubsystems(ctx, z) - globalIAMSys.InitStore(z) + globalIAMSys.InitStore(z, globalEtcdClient) return z, nil } @@ -1518,7 +1518,7 @@ func initAPIHandlerTest(obj ObjectLayer, endpoints []string) (string, http.Handl initAllSubsystems(context.Background(), obj) - globalIAMSys.InitStore(obj) + globalIAMSys.InitStore(obj, globalEtcdClient) // get random bucket name. bucketName := getRandomBucketName() @@ -1808,7 +1808,7 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) { initAllSubsystems(ctx, objLayer) - globalIAMSys.InitStore(objLayer) + globalIAMSys.InitStore(objLayer, globalEtcdClient) // Executing the object layer tests for single node setup. objTest(objLayer, FSTestStr, t) @@ -1829,7 +1829,7 @@ func ExecObjectLayerTest(t TestErrHandler, objTest objTestType) { initAllSubsystems(ctx, objLayer) - globalIAMSys.InitStore(objLayer) + globalIAMSys.InitStore(objLayer, globalEtcdClient) defer removeRoots(append(fsDirs, fsDir)) // Executing the object layer tests for Erasure.